Transcription

1 Installation guide for securing the authentication to your F5 Big-IP APM solution with Nordic Edge One Time Password Server, delivering strong authetication via SMS to your mobile phone. 1 Summary This is the complete installation guide for securing the authentication to your F5 Big-IP APM with Nordic Edge One Time Password Server 3, delivering strong authentication via SMS to your mobile phone. You will be able to test the product with your existing F5 Big-IP APM and LDAP user database, without making any changes that affect existing users. The guide will also allow you to make the complete installation efficiently, using a maximum of 1 hour. Nordic Edge provides several methods for delivering one time passwords, like the mobile client Pledge, e- mail, tokens, prefetch, Yubikey etc. - however in this test we are only going to use SMS. This is a step-by-step guide that covers the entire Nordic Edge OTP Server installation from A to Z. It is based on the scenario that you are running your F5 Big-IP APM against Active Directory, and that you install the One Time Password Server on a Windows Server. The One Time Password Server is platform independent and works with all other LDAP user databases, like edirectory, Sun One, Open LDAP etc. If you are not running Active Directory or Windows and if you have any questions regarding the slight differences in the installation process, you are most welcome to contact us at and we will take you through the entire process.

4 2 Prerequisites You will need to have done a basic installation of F5 Big-IP APM. As this guide only show you how to enable SMS password functionality for secure login you will need to have a server available, for example a virtual machine with Windows Server 2003 installed with Ethernet in bridge mode. The server needs to have an ip-address configured and must also be able to reach your DNS-servers, your F5 Big-IP APM solution and the Active Directory. Since the software is quite small and easy to remove, you can also use any existing server in your network. Definitions In this Step by Step guide the guide for securing the authentication to your F5 Big-IP APM is referred as "SSL-VPN Solution". Important information regarding communication The One Time Password Server is a software that you can place on any server in your internal network or DMZ. - The One Time Password Server needs to be able to communicate (Outbound traffic) with your LDAP or JDBC User Database. Default port for LDAP and Secure LDAP is TCP port 389 / SSL-VPN solution needs to be able to communicate (Outbound traffic) with the One Time Password Server with Radius, UDP port 1812 or 1645 (Outbound traffic) - If you want to use the Nordic Edge SMS Gateway, the One Time Password Server needs to be able to communicate (Outbound traffic) with otp.nordicedge.net and otp.nordicedge.se with HTTPS on TCP port 443. In this test-scenario you will want to communicate with RADIUS port 1812 or 1645 and use our Nordic Edge SMS Gateway.

5 3 Getting started 3.1 Register and download the software Go to and click "PRODUCTS" under "One Time Password Server" choose "Download"

7 You will receive an a link for downloading the software. A 30 days evaluation license will be sent via when you download the software. Download the 32 or 64 bit version depending on your platform.

8 4 Installation 4.1 Start the installation Start the installation on the server where you want to install the One Time Password Server Please note that if you are installing on a Windows 2008 Server you need to right click on the otp3install.exe using explorer and click on Run as Administrator.

9

10

11 4.2 Installing license Choose the license.dat that you have received via .

12

13

14 Leave it default on yes and click Done

15

16

17

18

19 5 Configuring the One Time Password Server 5.1 Start the OTP Configurator

20 Start the OTP Configurator by clicking on the left button - Configuration 5.2 Configure the One Time Password Server

21 On the Server page you can set the length of the one time password and for how long it should be valid. Default is 5 minutes. You can also set a default country prefix, which means that you will not need to state it in the mobile attribute. For more information regarding the optional setting please see One Time Password Server 3 Administration manual For now, leave this page as default and go on to the next part Configure RADIUS. 5.3 Configure RADIUS Change to the RADIUS tab and configure the RADIUS port you want to use to communicate with your SSL-VPN server. In this example we are using RADIUS port 1812.

22 Click Save config. 5.4 Configure databases In this setup we are going to use the LDAP database Microsoft Active Directory Change to the Databases tab and click on the LDAP Database button.

23

24 5.5 Configure LDAP Host Settings For our configuration we are going to use the active directory installed on the same server as the One Time Password Server. We will use the internal IP-address ( ) as host address. We will use the standard LDAP port nb (389) to communicate with Active Directory. For Admin DN we are going to use the Administrator to search for users in the Active Directory. For now the user only need read rights to the user object but be aware that you later might want to use options like disable accounts and use the Pledge Enrollment concept for the Pledge Mobile Client. In examples like these the Admin DN need rights to modify the disable account attribute and to store oath-keys at optional user attributes.

25 Configure your LDAP host settings and click test. You should now get a messages saying LDAP connection success Click OK and Save Next step is to configure the LDAP database settings. 5.6 Configure the LDAP database settings The BASE DN is the search base for where your users contains. Click on the button with three dots at the right side of the Base DN field to browse your LDAP Database. Click on the Organization Unit or Organization where your store your users objects and click OK.

26 5.7 Configure search filter Next step is to configure the search filter for letting the One Time Password search for the right object classes and attribute according to Microsoft Active Directory. Click on the Sample Button and choose the filter template for MS Active Directory and click OK twice.

27 5.8 Test LDAP Authentication Click on the Test LDAP Authentication button and type in the userid for a user you want to try to authenticate.

28 Type in the password If everything is correctly configured you will get a success message.

29 6 Configure the SSL-VPN client settings. Since we are configuring the One Time Password Server to act as RADIUS-server. The actual SSL-VPN server / appliance box is considered a client to the One Time Password Server. In this step we are going to configure the settings for the SSL-VPN client. In the left pane click on Clients

30 Type in a name for your SSL-VPN server and the ipaddress to your SSL-VPN server. Type in the RADIUS shared secret (this must match the shared secret in Access Gateway). Choose the Active Directory you configured earlier as User Database. Click Save

31 7 Configure Delivery Method The Delivery Methods object category is used to enable and configure one or more delivery methods that the OTP Server can use to send the one-time passwords. One Time Password Server offers various methods like SMS, Oath Tokens, Instant Messaging, HTTP, Yubikey. In this example we will use SMS as Method and the Nordic Edge SMS-service as SMS-provider. In the evaluating phase we offer customer to use our Nordic Edge SMS-service free of charge in 30 days from the activation of the Demo Account.

32 In the left Pane, click Deliver Methods and then Nordic Edge SMS. In the right pane enable Nordic Edge SMS Gateway. To Request a demo account click Request a demo account. Click Yes

33 You should now get a success message and the Username and Password for the Nordic Edge SMSgateway has automatically been filled in. Click OK and Save Config.

34 8 Restart the One Time Password Server as Windows Service In the server panel for click Shutdown

35 In Windows Control Panel, open Administrative Tools / Services Find the NordicEdge OTPServer Service, right click on that service and click Start.

36

37 9 Add mobile phone number with Microsoft Management Console Add mobile phone number to your test users mobile phone attribute by starting the Microsoft MMC and select the user that you want to use for testing and enter the mobile phone number in the Mobile attribute.

38 10 CONFIGURING F5 Big-IP APM To use the Nordic Edge OTP Server, you have to configure a RADIUS authentication server, bind the server to an access profile and then use this access profile in the SSL-VPN Virtual Server. In this example, we already have an access profile and a Virtual Server for remote access. There are multiple ways to setup remote access. You can for example do this with the Device Wizards that will guide you through this process. For a detailed discussion on how to configure a SSL-VPN server, please review the BIG-IP Administration Guide Adding the authentication server First step is to add an RADIUS authentication server. Goto Access Policy --> AAA Servers --> RADIUS and click the + button.

40 -Secret: Enter the secret key and confirm it (this must match the shared secret in OTP Server). -Timeout: Raise the server time-out to 25 seconds. This allows the RADIUS server to respond with an alternative attribute to F5 Big-IP APM if the operator fails to deliver the OTP SMS. After the server are added, an overview will be found in the "AAA Servers By Type"

45 10.3 Test the configuration Navigate to the BIG-IP Virtual Server log on page. Enter the Microsoft Active Directory user name and password used earlier to configure the OTP server. After entering your credentials, press Logon to continue. A Flash SMS will be delivered to your mobile phone containing the One Time Password.

46

47 Enter the One Time Password and click on Logon. You will now be logged in, and depending on the configured access profile, your VPN connection can be a full SSL-VPN tunnel, a clientless session etc. This can be controlled in a way to let the connecting user make the connection type choice, or it can be enforced by the administrator.

Nordic Edge One Time Password (OTP Server) has a comprehensive RADIUS support, including support for multiple authentication methods. This means that the end user can choose authentication method: SMS,

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3) Manual installation of agents and importing the SCOM certificate to the servers to be monitored:

Defender EAP Agent Installation and Configuration Guide Introduction A VPN is an extension of a private network that encompasses links across shared or public networks like the Internet. VPN connections

Multi-factor Authentication using Radius Netop develops and sells software solutions that enable swift, secure and seamless transfer of video, screens, sounds and data between two or more computers over

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management Problem: The employees of a global enterprise often need to telework. When a sales representative

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication Authentication is about security and user experience and balancing the two goals. This document describes the authentication

Introduction EASYLABEL 6 has several new features for saving the history of label formats. This history can include information about when label formats were edited and printed. In order to save this history,

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment How To - Implement Clientless Single Sign On Authentication with Active Directory Applicable

Deploying F5 with VMware View and Horizon View Welcome to the F5 and VMware View Deployment Guide. This document contains guidance on configuring the BIG-IP system version 11 and later, including BIG-IP

How To Implement Clientless Single Sign On in Single Active Directory Domain Controller Environment How To - Implement Clientless Single Sign On Authentication with Active Directory Applicable Version:

Configuring a Windows 2003 Server for IAS When setting up a Windows 2003 server to function as an IAS server for our demo environment we will need the server to serve several functions. First of all we

Using RD Gateway with Azure Multifactor Authentication We have a client that uses RD Gateway to allow users to access their RDS deployment from outside their corporate network. They have about 1000+ users.

DEPLOYMENT GUIDE CONFIGURING THE BIG-IP LTM SYSTEM WITH FIREPASS CONTROLLERS FOR LOAD BALANCING AND SSL OFFLOAD Configuring the BIG-IP LTM system for use with FirePass controllers Welcome to the Configuring

How To - Implement Single Sign On Authentication with Active Directory Applicable to English version of Windows This article describes how to implement single sign on authentication with Active Directory

Instructions for connecting to the Weston Schools Virtual Desktop Environment Notes: You will have to have administrator permission on your computer in order to install a VMWare Client application which

Deployment Guide Deploying F5 with IMPORTANT: This guide has been archived. There are two newer deployment guides and downloadable iapp templates available for Remote Desktop Services, one for the Remote

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication This application note describes how to authenticate users on a Cisco ISA500 Series security appliance. It includes these

Policy Patrol 3.0 technical documentation July 23, 2004 Installing Policy Patrol on a separate machine If you have Microsoft Exchange Server 2000 or 2003 it is recommended to install Policy Patrol on the

Getting Started with Clearlogin A Guide for Administrators V1.01 Clearlogin makes secure access to the cloud easy for users, administrators, and developers. The following guide explains the functionality

SQL Server Setup for Assistant/Pro applications Compliance Information Systems The following document covers the process of setting up the SQL Server databases for the Assistant/PRO software products form

Access to Webmail services via a Non Trust Computer Aintree Outlook Web Access has been provided via the AppGate SSL Portal, this service can be accessed from any computer on the Internet. Two factor SMS

Basic Exchange Setup Guide The following document and screenshots are provided for a single Microsoft Exchange Small Business Server 2003 or Exchange Server 2007 setup. These instructions are not provided

Wanos on Hyper-V Comprehensive guide for a complete lab This document will guide the user in setting up a Wanos appliance using Hyper-V on a Microsoft Windows Server 2012 R2. Four Virtual Machines will